基于资源的策略示例 AWS KMS - AWS 数据库迁移服务

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

基于资源的策略示例 AWS KMS

AWS DMS允许您创建自定义 AWS KMS 加密密钥来加密支持的目标端点数据。要了解如何创建密钥策略并将其附加到为支持的目标数据加密而创建的加密密钥,请参阅 创建 AWS KMS 密钥并使用该密钥对 Amazon Redshift 目标数据进行加密创建 AWS KMS 密钥以加密 Amazon S3 目标对象

用于加密亚马逊 Redshift 目标数据的自定义 AWS KMS 加密密钥的策略

以下示例显示了针对您JSON为 AWS KMS 加密 Amazon Redshift 目标数据而创建的加密密钥创建的密钥策略。

{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-Redshift-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon Redshift 目标端点数据。在该示例中,该角色为 DMS-Redshift-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-Redshift-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。这样的用户还可以生成数据密钥以供导出,以加密外部的数据 AWS KMS。它们还可以返回有关 AWS KMS 密钥的详细信息,例如您刚刚创建的密钥。此外,此类用户还可以管理 AWS 资源的附件,如目标端点。

用于加密 Amazon S3 目标数据的自定义 AWS KMS 加密密钥的策略

以下示例显示了JSON针对您为加密 Amazon S3 目标数据而创建的 AWS KMS 加密密钥创建的密钥策略。

{ "Id": "key-consolepolicy-3", "Version": "2012-10-17", "Statement": [ { "Sid": "Enable IAM User Permissions", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:root" ] }, "Action": "kms:*", "Resource": "*" }, { "Sid": "Allow access for Key Administrators", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/Admin" ] }, "Action": [ "kms:Create*", "kms:Describe*", "kms:Enable*", "kms:List*", "kms:Put*", "kms:Update*", "kms:Revoke*", "kms:Disable*", "kms:Get*", "kms:Delete*", "kms:TagResource", "kms:UntagResource", "kms:ScheduleKeyDeletion", "kms:CancelKeyDeletion" ], "Resource": "*" }, { "Sid": "Allow use of the key", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*", "kms:DescribeKey" ], "Resource": "*" }, { "Sid": "Allow attachment of persistent resources", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::987654321098:role/DMS-S3-endpoint-access-role" ] }, "Action": [ "kms:CreateGrant", "kms:ListGrants", "kms:RevokeGrant" ], "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ]

在此示例中,您可以看到密钥政策引用了角色,以访问在创建密钥之前创建的 Amazon S3 目标端点数据。在该示例中,该角色为 DMS-S3-endpoint-access-role。您还可以查看不同委托人(用户和角色)所允许的不同密钥操作。例如,任何具有 DMS-S3-endpoint-access-role 的用户都可以对目标数据进行加密、解密和重新加密。这样的用户还可以生成数据密钥以供导出,以加密外部的数据 AWS KMS。它们还可以返回有关 AWS KMS 密钥的详细信息,例如您刚刚创建的密钥。此外,此类用户还可以管理 AWS 资源的附件,如目标端点。